develooper Front page | perl.perl5.porters | Postings from May 2003

Re: [perl #17698] Consultation required on possible Perl security issue

Steven M. Christey
May 1, 2003 07:59
Re: [perl #17698] Consultation required on possible Perl security issue
Message ID:


>> A week ago I notified people about the possible issues in Perl's taint
>> checker with respect to format string issues.  I have not received any
>> responses since then.
>> Has the Perl development community decided that the taint checker
>> should not be changed?  If so, then I would like to include a
>> statement to that effect.  I am delaying the release of this advisory
>> just in case the Perl community wants to change the taint checker.
>Did this ever get resolved?

Well, there is a general question as to whether this should be Perl's
responsibility in the first place, or that of the application

I did obtain this statement from one of the developers (unfortunately
I didn't record who it was):

    These issues do not represent a substantial security hole in perl
    itself.  Future versions of perl may extend tainting checks to
    format strings, or just to certain aspects of formats (such as

- Steve Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About